ASA FQDN access-lists Part 1

A recent change came through which required a geo-spatial map data server from an isolated network to cache maps from various public entities. The geo-spatial database calls upon various websites. The use of Bing, Google, government agencies, traffic management combine together to provide layered map data. With a static source references a dynamic entity the need to look beyond IP addressed destinations was required.

The Fully Qualified Domain Name (FQDN) access-lists were introduced in 8.4(2) and allow name to ip resolution for access-lists. This post outlines what is required to perform DNS lookup to enable FQDN ACLs.

This has definitely helped in the business problem we had. Now we rely on DNS servers we do expose ourselves to DNS hijacking. Additional filtering can be applied to narrow ip any to the specified host to include port information. This tightens the vector of attack. The next part looks at DNS packet information and tweaking FQDN resolution for look up improvement.

If you are going to use fqdn objects can only suggest you force a cache time of 1-2 hours.
Had lots of fun when one ASA came crashing down due to a cloud provider running DNS with a TTL of 10s where the ASA spent lots of CPU just refreshing DNS entries.

Make sure people are aware of the caching policy and the fact it only uses the first 4 or 8 or something entries returned as plays a bit screwy with some ms services which returns like 30 odd records.

Even more fun when people have internal and external DNS he he he will leave you to work out how to do that one ;).

Yeah – I was sitting in a meeting listening to the requirements and thought to myself – surely this must exist. Juniper SRX has it too. Not uncommon by the widespread feature-set though I do wonder about its deployment penetration.